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Abstract 

This  paper  presents  a  theoretical  and  experimental  comparison  of  sound  proof  rules  for  proving 
invariance  of  algebraic  sets,  that  is,  sets  satisfying  polynomial  equalities,  under  the  flow  of  poly¬ 
nomial  ordinary  differential  equations.  Problems  of  this  nature  arise  in  formal  verification  of  con¬ 
tinuous  and  hybrid  dynamical  systems,  where  there  is  an  increasing  need  for  methods  to  expedite 
formal  proofs.  We  study  the  trade-off  between  proof  rule  generality  and  practical  performance 
and  evaluate  our  theoretical  observations  on  a  set  of  heterogeneous  benchmarks.  The  relationship 
between  increased  deductive  power  and  running  time  performance  of  the  proof  rules  is  far  from 
obvious;  we  discuss  and  illustrate  certain  classes  of  problems  where  this  relationship  is  interesting. 


1  Introduction 


In  safety  verification  of  dynamical  systems,  either  purely  continuous  or  hybrid  [24,  32],  one  is 
typically  concerned  with  ensuring  that  by  initializing  a  system  in  some  set  of  states  X0  C  X 
(where  X  is  the  state  space),  the  system  will  never  evolve  into  an  unsafe  state  (belonging  to  some 
Xu  C  X).  When  the  system  is  given  by  ordinary  differential  equations  x  =  p(x),  one  may  attempt 
to  solve  this  problem  by  showing  that  the  solution  to  the  initial  value  problem,  for  any  initial  value 
x0  E  X0,  cannot  enter  the  unsafe  region;  that  is,  x(x0,t)  f  Xu  for  all  t  >  0,  where  x(x0,t) 
is  the  state  of  the  system  at  time  t  w.r.t.  the  initial  value  x0.  This  safety  verification  problem  is 
equivalent  to  showing  that  the  intersection  of  the  reachable  set  {x(x0,t)  E  X  \  t  >  0}  with  the 
set  of  unsafe  states  is  empty.  However,  solutions  to  ordinary  differential  equations  will  rarely  be 
available  in  closed  form;  and  even  when  they  are,  will  often  be  much  more  complicated  than  the 
differential  equations  themselves.  Instead,  it  is  possible  to  work  with  the  differential  equations 
directly  [29,  23,  25,  32]. 

A  fundamental  notion  in  safety  verification  is  that  of  an  invariant  set.  In  fact,  exact  reachable 
sets  of  any  given  state  x0  of  the  system  are  the  smallest  invariant  sets  one  can  hope  to  find  that 
include  x0.  However,  obtaining  and  working  with  exact  descriptions  of  reachable  sets  is  not  always 
practical  or  even  possible.  This  does  not  mean  that  system  safety  cannot  be  established  by  other 
means  -  if  one  finds  a  larger  invariant  set,  /  Cl,  with  a  simpler  (perhaps  algebraic)  description 
which  contains  the  reachable  set  and  does  not  itself  intersect  the  set  of  unsafe  states  (i.e.  /  (T  Xu  = 
0),  then  one  can  soundly  conclude  that  the  system  is  safe.  In  this  paper,  we  focus  on  checking 
whether  a  given  set  is  an  invariant  region  from  which  no  system  trajectory  can  escape. 

Hybrid  systems  verification  completely  reduces  to  questions  about  invariant  regions  [22,  24]. 
We  focus  on  the  important  case  where  the  invariant  regions  are  algebraic  sets,  i.e.  can  be  defined  by 
polynomial  equations.  Many  sound  proof  rules  already  exist  for  deciding  invariance  properties  of 
algebraic  sets.  However,  in  order  to  identify  a  good  trade-off,  it  is  crucial  to  study  the  relationship 
between  the  deductive  power  and  the  practical  running  time  performance  of  these  proof  rules. 

Contributions.  (I)  We  theoretically  compare  the  deductive  power  of  7  different  proof  rules  for 
checking  invariance  properties  of  algebraic  sets  under  the  flow  of  polynomial  ordinary  differential 
equations.  Further,  we  assess  the  practical  utility  of  each  of  these  rules  in  order  to  identify  a 
good  trade-off  between  generality  and  running  time  performance.  (II)  We  investigate  the  effect 
of  square-free  reduction  on  both  the  deductive  power  and  the  computational  complexity  of  the 
proof  rules.  (Ill)  We  assess  the  practical  proof  rule  performance  on  a  heterogeneous  set  of 
75  benchmarks.  We  demonstrate  the  counter-intuitive  fact  that  square-free  reduction  does  not 
necessarily  improve  the  computational  efficiency  of  certain  proof  rules  and  explore  interesting 
connections  between  the  deductive  power  and  the  practical  running  time  performance  that  we 
observe  for  the  proof  rules. 

Content.  In  Section  2,  we  recall  some  basic  definitions  and  concepts  that  will  be  used  through¬ 
out  the  paper.  We  then  introduce  (in  Section  3)  two  proof  rules  that  serve  as  extensions  of  Lie’s 
criterion  for  equational  invariants.  In  Section  4,  we  compare  the  deductive  power  of  the  proof 
rules.  The  benefits  and  drawbacks  of  performing  square-free  reduction  as  a  pre-processing  step 
are  investigated  in  Section  5.  In  Section  6,  we  present  the  set  of  benchmarks  and  our  experimental 
results.  We  finally  discuss  other  related  work  in  Section  7  before  concluding. 
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2  Preliminaries 


We  consider  autonomous1  polynomial  vector  fields  (see  Def.  1  below). 

Let  x  =  (xi, . . .  ,xn)  G  Rn,  and  x(t)  =  (xj_(t), . . .  ,xn(t)),  where  Xi  :  R  —>■  R,t  (->•  Xi(t).  The 
ring  of  polynomials  over  the  reals  will  be  denoted  by  M[xi, . . . ,  xn]. 


Definition  1  (Polynomial  Vector  Field).  Let  pit  1  <  i  <  n,  be  multivariate  polynomials  of  the 
polynomial  ring  M[cc].  A  polynomial  vector  field,  p,  is  an  explicit  system  of  ordinary  differential 
equations  with  polynomial  right-hand  side: 


dxi 

dt 


Pi(x),  1  <  i  <  n  . 


(1) 


Since  polynomial  functions  are  smooth  ( C°° ,  i.e.  they  have  derivatives  up  to  any  order),  they 
are  locally  Lipschitz-continuous.  By  the  Cauchy-Lipschitz  theorem  (a.k.a.  Picard-Lindelof)  [16], 
there  exists  a  unique  maximal  solution  to  the  initial  value  problem  (x  =  p,  x{())  =  x0)  defined  for 
t  in  some  nonempty  open  interval. 

For  h  G  M[xi . . . ,  xn],  if  h(x(t))  =  0  for  all  t  >  0,  we  say  that  the  equation  h  —  0  is  a 
(positive)  invariant  under  the  flow  of  p.  In  differential  dynamic  logic  [22],  invariance  of  h  =  0  is 
semantically  equivalent  to  the  validity  of  the  following  formula: 


(h  —  0)  — >■  [x  —  p\  (h  —  0) 


(2) 


Geometrically,  the  equation  h  =  0  represents  the  set  of  real  roots  of  h.  Such  a  set  is  known 
as  real  algebraic  set  or  a  real  variety  and  will  be  henceforth  denoted  by  14(7/).  Algebraic  sets  are 
intimately  related  to  sets  of  polynomials  with  special  algebraic  properties  called  ideals.  Ideals  are 
closed  under  addition  and  external  multiplication;  that  is,  if  /  is  an  ideal,  then  for  all  hi,  h2  G  /,  the 
sum  h\  +  h2  G  /;  and  if  h  G  /.  then,  qh  G  I,  for  all  q  G  R[x\ . . . ,  xn\.  To  say  that  the  real  variety 
Vi fh)  of  the  ideal  generated  by  h  is  invariant  under  the  flow  of  the  vector  field  p  is  equivalent  to 
the  statement  that  the  equation  h  =  0  is  invariant. 

We  will  use  V/i  to  denote  the  gradient  of  /i  :  M"  — >■  M,  that  is  the  vector  of  its  partial  derivatives 
(Jpy.  •  •  • ,  )  •  The  Lie  derivative  of  h  along  the  vector  field  p  gives  the  rate  of  change  of  h  along 

the  flow  of  x  =  p(x  )  and  is  formally  defined  as  the  scalar  product  of  V/i  and  p. 

£p(h)  =  V/i  •  p  .  (3) 

Higher-order  Lie  derivatives  are  defined  recursively  as  £p+1\h)  =  £p(£p\h)),  with  £p\h)  =  h. 

We  now  recall  five  important  proof  rules  for  checking  invariance  of  polynomial  equalities,  or 
equivalently  the  validity  of  Eq.  (2).  In  Fig.  1,  DI=  shows  the  differential  invariant  [23]  proof  rule 
restricted  to  handling  equalities.  The  condition  imposed  by  the  premise  of  DI=  is  sufficient,  but 
not  necessary;  it  characterizes  polynomial  invariant  functions.  The  premise  of  the  Polynomial- 
scale  consecution  proof  rule  [29],  P-c  in  Fig.  1,  requires  £p(/i)  to  be  in  the  ideal  generated  by  h. 

'That  is,  the  rate  of  change  of  the  system  over  time  depends  only  on  the  system’s  state,  not  on  time.  Non- 
autonomous  systems  with  polynomial  time-dependence  can  be  made  autonomous  by  adding  an  extra  clock  variable 
that  reflects  the  progress  of  time. 
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(DI=) 


£P(h)  =  0 


(h  =  0)  — )■  [x  =  p](h  =  0) 


(Lie 


h  =  0  -)>  (£p(h)  =  OAV/i^O) 
(h  =  0)  — >  [x  =  p](h  =  0) 


(C-c) 


3A  G  M,  £p(h)  =  A h 
(/i  =  0)  — >■  [cb  =  p](h  =  0) 


(P-c) 


£P(h)  G  ( h ) 


(h  —  0)  — >■  [x  —  p\(h  =  0) 


(DRI) 


h  =  o  ->  Am  jgw  =  0 

( h  —  0)  — >•  [x  —  p\(h  =  0) 


Figure  1:  Proof  rules  for  checking  the  invariance  of  h  =  0  w.r.t.  p:  DI=  [25,  Theorem  3],  C-c  and  P-c 
[29,  Lemma  2],  Lie  [21,  Theorem  2.8],  DRI  [11,  Theorem  2] 


The  condition  is  also  only  sufficient  (but  is  particularly  suitable  for  generating  invariant  varieties 
[18]).  We  also  consider  the  constant-scale  consecution  proof  rule  [29,  32],  denoted  by  C-c.  The 
premise  of  proof  rule  C-c  requires  that  £p(h)  =  A h,  where  A  is  a  scalar,  not  a  polynomial  as 
in  P-c.  It  is  therefore  a  simple  special  case  of  P-c.  When  A  =  0,  one  obtains  the  premise  of 
the  proof  rule  DI=.  It  is  worth  noting  that  P-c,  including  its  special  case  C-c,  was  mentioned  as 
early  as  1878  [6]  and  used  extensively  in  the  study  of  integrability  of  dynamical  systems,  where 
they  are  known  as  second  integrals  [14,  Chapter  2],  It  serves  as  a  natural  extension  to  invariant 
functions,  also  known  as  first  integrals ,  which  are  covered  by  the  proof  rule  DI=.  The  proof  rule 
Lie  gives  Lie’s  criterion  [15,  21]  for  invariance  of  h  =  0;  this  proof  rule  will  be  discussed  in  more 
depth  and  extended  to  handle  tricky  cases  in  Section  3.  The  last  rule,  DRI  in  Fig.  1,  was  recently 
introduced  and  characterizes  (i.e.  gives  necessary  and  sufficient  conditions  for)  invariant  varieties 
under  the  flow  of  polynomial  vector  fields  [11],  The  number  N  in  DRI  is  the  maximum  length  of 
the  ascending  chain  of  polynomial  ideals  (h)  C  (h,  £p(h ))  C  (h,  £p(h),£p\h))  C  •  •  • ,  which  is 
finite  and  computable  [11]. 


3  Lie’s  Criterion 

One  immediate  (and  somewhat  embarrassing)  deficiency  of  the  proof  rule  Lie  (Fig.  1)  is  its  inability 
to  prove  invariance  properties  for  isolated  points  (e.g.  system  equilibria)  for  the  simple  reason  that 
a  description  of  such  a  point  a  =  (a^, ,  an )  G  Mn  is  (when  n  >  1)  given  by  the  sum-of-squares 
equation  h(x)  =  (xi  —  a\)2  +  •  •  •  +  (xn  —  an )2  =  0.  This  sum-of-squares  polynomial  h  is 
positive-definite ,  i.e.  h{a)  =  0  and  h(x)  >  0  for  all  x  G  R"  \  {a}.  Positive  definite  functions  have 
vanishing  gradient  at  their  minima,  in  this  case  a,  and  thus  the  formula  h  —  0  — >  Vh  —  0  holds. 
This  violates  the  regularity  condition  in  the  premise  of  the  proof  rule  Lie,  namely: 

h  =  0  — 0  .  (4) 

In  fact,  h  =  0  — »  £p(h )  =  0  is  a  necessary  condition  when  h  =  0  is  an  invariant  equation.  Note 
that  simply  removing  Eq.  (4)  from  the  premise  of  the  proof  rule  Lie  is  unsound  (see  e.g.  [25]); 
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that  is,  the  condition  h  —  0  — >■  £p(/i)  =  0  alone  is  insufficient  to  prove  the  invariance  property  for 
h  —  0.  Unsoundness  in  the  above  naive  attempt  at  a  generalization  is  a  consequence  of  singularities 
that  may  be  present  in  the  variety  Vr(/i).  Singularities  of  Vr(/i)  are  points  a:  e  1-r  ( hi)  where  the 
gradient  of  h  vanishes,  i.e.  Vh(x)  =  0. 

Definition  2  (Singular  Locus).  Let  h  e  M[xi, . . .  ,xn\,  the  singular  locus  of  h  —  0,  henceforth 
denoted  SL  (h),  is  the  set  of  singular  points,  that  is,  points  x  satisfying 


h 


0  A 


dh 

dx\ 


0  A  •  •  •  A 


0  . 


Points  that  are  not  singular  are  called  regular.  At  singular  points,  the  Lie  derivative  of  h  along  any 
vector  field  is  0  •  p  =  0.  To  avoid  these  degenerate  cases,  the  regularity  condition  (Eq.  (4))  rules 
out  singularities  altogether.  In  the  next  section  we  present  two  extensions  of  Lie’s  criterion  that,  in 
a  similar  vein  to  [30],  partially  overcome  the  strong  regularity  condition  by  treating  the  points  on 
the  singular  locus  separately. 


3.1  Handling  Singularities 

Equilibria  are  points  in  the  state  space  where  the  vector  field  vanishes  ( p  =  0)  so  that  there  is  no 
motion.  However,  as  seen  above,  Lie’s  criterion  cannot  generally  be  applied  to  prove  invariance 
properties  of  isolated  equilibria  because  their  description  involves  singularities.  One  simple  way  to 
resolve  this  issue  is  to  drop  the  non- vanishing  gradient  condition  and  replace  it  with  the  proviso  that 
there  be  no  flow  (that  is  p  =  0)  in  the  variables  of  the  invariant  candidate  on  the  singular  locus; 
this  will  allow  singularities  in  the  invariant  candidate  and  will  provide  a  sound  proof  method  in 
which  there  is  no  need  to  check  for  non-vanishing  gradient.  Below  we  present  two  extensions  to 
the  proof  rule  Lie  and  justify  their  soundness  after  recalling  some  basic  geometric  notions. 

Definition  3  (Lie°:  Lie  +  Equilibria). 

,T  .  =  {£p(h)  =  0  A  (SL  (h)  — >■  A^SvarsC*.)  Pi  =  °)) 

1  16  ’  {h  =  0)  \x=p\(h  =  0)  ’ 

where  vars  (h)  denotes  the  set  of  state  variables  x,  occurring  in  the  polynomial  h. 

The  Lie°  proof  rule  can  be  generalized  further  at  the  expense  of  adding  an  extra  variable  by 
replacing  the  “no  flow”  condition  ( =  0)  for  points  on  the  singular  locus  with  VA.  h(x+ Xp(x))  = 
0,  where  A  is  a  fresh  symbol. 

Definition  4  (Lie*:  Lie  +  Vanishing  Sub-tangent). 

.  *\h  —  0  — >  (£p(/i)  =  0  A  (SL(/i)  — y  h(x  +  A p)  =  0)) 

(  16  )  (fi  =  0)  ^  [x  =  p\(h  =  0)  ‘ 
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To  prove  soundness  of  Lie°  and  Lie*,  we  use  a  result  about  positive  invariance  of  closed  sets 
under  locally  Lipschitz-continuous  vector  fields,  known  as  the  Nagumo  theorem  [20,  33,  Chapter 
10,  XV-XVI,  pp.  117-119],  which  gives  a  powerful  (but  generally  intractable)  geometric  char¬ 
acterization  of  positively  invariant  closed  sets.  The  notion  of  positive  invariance  of  the  equation 
h  =  0  from  Section  2  generalizes  to  an  arbitrary  set. 

Definition  5  (Invariant  Sets).  A  set  S  is  positively  (negatively)  invariant  under  the  flow  ofx  =  p 
if  for  all  x0  E  S  we  have  x(x0,t)  G  S  for  all  t  >  0  (t  <  0),  where  x(xo,t)  is  the  solution  of 
the  initial  value  problem  (x  =  p,x( 0)  =  £c0).  A  set  S  is  bi-invariant  if  it  is  both  positively  and 
negatively  invariant. 

Nagumo’s  theorem  needs  the  geometric  notion  of  sub-tangential  vectors  to  a  set. 

Definition  6  (Sub-tangent  vector).  A  vector  v  G  Mn  is  sub-tangential  to  a  set  S  at  x  G  S  if 

„  dist  (S,  x  +  Xv) 

hmml - - -  =  0, 

A^0+  A 

where  dist  denotes  the  Euclidean  set  distance,  i.e.  dist  (S',  x)  =  infyes||cc  —  y\\. 

Theorem  1  (Nagumo  Theorem).  Given  a  continuous  system  x  =  p(x)  and  assuming  that  solu¬ 
tions  exist  and  are  unique  inside  some  open  set  O  C  W\  let  S  C  O  be  a  closed  set.  Then,  S  is 
positively  invariant  under  the  flow  of  the  system  if  and  only  if  pi x  )  is  sub-tangential  to  S  for  all 
x  G  dS,  where  dS  is  the  boundary  of  S. 

Let  us  observe  that  given  x  G  dS,  if  x+\ p{x)  G  S  for  all  A  G  M,  then  dist  (S,  x  +  A p(x))  =  0 
and  p(x)  is  sub-tangential  to  S  at  x.  This  observation  is  important  for  algebraic  sets,  for  which 
dS  =  S,  and  the  condition  x  +  A p(x)  G  S  translates  to  h(x  +  A p(x))  =  0.  This  is  the  main  idea 
behind  the  soundness  of  the  proof  rule  Lie*. 

Proposition  1.  The  proof  rule  Lie*  is  sound. 

Proof.  A  point  on  the  variety  is  either  regular  or  singular.  For  regular  points  (these  form  an  open 
subset  of  the  variety),  since  £p(h)(x)  =  0,  the  vector  pix)  is  sub-tangent  to  the  variety  at  x  (in 
fact,  it  is  even  tangent,  so  the  condition  we  check  is  exactly  that  which  is  used  in  Lie).  At  singular 
points  x  G  Vu.(h)  if  h(x  +  A p{x))  =  0  holds  for  all  A  then  dist(Vnt(/z),  x  +  A p(x))  =  0  for  all 
A,  from  which  it  follows  that  lim infA_>0+  dlst^ih'>^+Xp^x'l)  —  o  and  thus  p(x)  is  sub-tangential 
to  Vr(/i)  at  x.  Assuming  solutions  exist  and  are  unique,  the  variety  14  ( h)  is  positively  invariant 
under  the  vector  field  p  by  Nagumo’s  theorem.  □ 

The  case  p(x)  =  0  for  all  x  in  the  singular  locus  is  a  special  case  of  the  proof  rule  Lie*. 
Therefore,  the  soundness  of  Lie°  is  an  immediate  corollary  of  Prop.  1. 

Corollary  1.  The  proof  rule  Lie°  is  sound. 

Remark  1.  It  is  worth  remarking  that  proof  rules  presented  in  this  section,  as  well  as  Lie  and 
DI=,  also  work  for  non-polynomial  vector  fields  and  invariant  candidates  which  themselves  are 
not  polynomial  but  sufficiently  smooth.  However,  in  such  cases  the  resulting  arithmetic  may  no 
longer  be  decidable  [28]. 
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4  Proof  Rules:  Hierarchy  and  Complexity 

In  this  section,  we  compare  the  deductive  power  of  the  existing  (Fig.  1)  and  the  newly-introduced 
proof  rules  (Lie°  and  Lie*  in  Section  3)  for  checking  the  invariance  of  algebraic  sets.  This  study 
should  be  complemented  by  another  comparison  that  considers  the  interaction  between  the  differ¬ 
ent  proof  rules  in  the  context  of  a  formal  proof  system  in  a  similar  vein  to  [26].  We  leave  this  for 
future  work. 

Given  two  proof  rules  (let  us  call  them  Ri  and  R2)  featuring  the  same  conclusion 

(h  =  0)  — >  [x  =  p](h  =  0), 

we  will  say  that  R2  generalizes  Ri  and  write  R2  R  R,  (or  IR  R  R2),  if  the  premise  of  Ri  implies 
the  premise  of  R2.  That  is,  if  Ri  proves  that  h  =  0  is  an  invariant,  then  so  does  R2.  If  Ri  R  R2  and 
Ri  R  R2,  we  say  that  Ri  and  R2  are  equivalent,  and  denote  this  by  Ri  ~  R2.  Likewise,  Ri  R  R2 
(or  R2  R  R,j  denotes  that  Ri  is  not  generalized  by  R2.  We  also  write  Ri  -<  R2  when  Ri  R  R2  and 
Ri  R  R2.  That  is,  the  rule  R2  increases  the  deductive  power  of  Ri. 

It  is  easy  to  see  that  the  order  R  is  a  partial  order  (with  ~  acting  as  equality):  it  is  reflexive, 
R  R  R  (the  premise  of  R  implies  itself);  it  is  anti- symmetric  (by  definition),  and  transitive:  if 
Ri  R  R2  and  R2  R  R3,  then  the  premise  of  Ri  implies  the  premise  of  R3  by  transitivity  of  the 
implication,  so  R3  R  R3.  Finally,  If  R|  R  R2  and  Ri  R  R2,  we  will  write  Ri  O  R2  and  say 
that  the  proof  rules  Ri  and  R2  are  incomparable.  This  means  that  for  both  R3  and  R2  there  are 
problems  that  one  rule  can  prove  and  the  other  cannot.  In  the  sequel,  we  use  the  partial  order  R  to 
illustrate  the  lattice  structure  of  the  proof  rules  under  consideration.  In  Section  4.2  we  discuss  the 
computational  complexity  of  the  conditions  appearing  in  their  premises. 

4.1  Hierarchy 

We  use  the  partial  order  (R)  to  compare  the  deductive  power  of  all  considered  proof  rules 

(DI=,  C-c,  P-c,  Lie,  Lie°,  Lie*,  DRI}  . 

For  convenience,  the  propositions  of  this  section  are  summarized  in  the  comparison  matrix  (Fig.  3). 
For  instance,  Prop.  6  proves  that  DI=  -o-  Lie.  Cells  without  numbers  are  proved  by  transitivity 
of  the  partial  order.  For  instance,  DI=  -<  DRI  can  be  proved  using  DI=  -<  C-c  (Prop.  2)  and 
C-c  -<  P-c  (Prop.  3)  and  P-c  -<  DRI  (Prop.  5).  The  Hasse  diagram  (Fig.  2)  gives  the  lattice 
structure  where  arrows  represent  strictly  increasing  deductive  power;  every  missing  edge  in  the 
graph  represents  -<>-,  as  shown  in  the  comparison  matrix. 

We  begin  by  comparing  Darboux-based  proof  rules,  i.e.  {DI=,  C-c,  P-c}  and  then  proceed  to 
the  Lie-based  proof  rule  family,  i.e.  (Lie,  Lie°,  Lie*}.  Next,  we  demonstrate  the  deductive  supe¬ 
riority  of  the  necessary  and  sufficient  conditions  in  the  premise  of  the  proof  rule  DRI.  Finally, 
we  establish  that  Darboux-based  proof  rules  and  Lie-based  proof  rules  form  two  distinct  proof  rule 
families;  that  is,  any  proof  rule  from  one  family  is  deductively  incomparable  to  any  proof  rule  from 
the  other  family. 

Proposition  2.  DI=  -<  C-c. 
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DRI 


Lie*  P-c 


Lie°  C-c 


Lie  DI= 

Figure  2:  Hasse  diagram.  An 
arrow  Ri  — >  R2  means  Ri  -< 
R2,  all  other  non  depicted  links 
mean  (AA). 


DI= 

C-c 

P-c 

Lie 

Lie° 

Lie* 

DRI 

DI= 

rs_/ 

-< 

-< 

-<>- 

-<>- 

-<>- 

-< 

2 

6 

8 

7 

C-c 

rs_/ 

-< 

-<>- 

-<>- 

-<>- 

-< 

2 

3 

9 

10 

10 

P-c 

>- 

rs-/ 

-<>- 

-<>- 

-< 

3 

9 

10 

10 

5 

Lie 

-<>- 

-<>- 

-<>- 

rs_/ 

-< 

-< 

-< 

6 

9 

9 

4 

Lie° 

-<>- 

-<>- 

-<>- 

>- 

r-u 

-< 

-< 

8 

10 

10 

4 

4 

Lie* 

-<>- 

-<>- 

-<>- 

>- 

>- 

rs_/ 

-< 

7 

10 

10 

4 

5 

DRI 

>- 

>- 

>- 

>- 

y 

>- 

rs-/ 

Figure  3:  Comparison  matrix  of  the  deductive  power  of 

{DI=,  C-c,  P-c,  Lie,  Lie°,  Lie*,  DRI}.  The  numbers  refer  to  the 
propositions. 


Proof.  The  premise  of  the  rule  C-c  requires  the  existence  of  some  A  G  M,  such  that  £p(h)  =  A h. 
In  particular,  A  =  0  gives  the  premise  of  DI=.  Thus,  DI=  C-c.  To  see  that  DI=  f  C-c,  consider 
the  one-dimensional  vector  field  p  =  (. x ),  we  have  £p(x)  =  lx,  and  hence  C-c  (A  =  1)  concludes 
that  x  =  0  is  an  invariant.  However,  DI=  cannot  prove  the  invariance  of  x  =  0  because  x  is  not  a 
conserved  quantity  in  the  system.  □ 


Proposition  3.  C-c  -<  P-c. 

Proof.  The  premise  of  the  rule  P-c  requires  the  existence  of  some  a  G  M|.t],  such  that  £p(h)  =  ah 
(equivalently,  £p{h)  G  (h)).  In  particular,  the  constant  polynomial  gives  the  premise  of  C-c.  Thus, 
C-c  =<!  P-c.  To  prove  that  C-c  f  P-c,  consider  he  two-dimensional  vector  field  p  =  (xy,x),  we 
have  £p(x)  =  xy  (or  equivalently  £p(x)  G  (x)  C  M[x,|/])  and  hence  conclude,  using  P-c,  that 
x  =  0  is  an  invariant.  However,  C-c  fails  to  prove  this  invariant  as  the  required  cofactor  is  not  a 
scalar.  □ 


Proposition  4.  Lie  -<  Lie°  and  Lie°  -<  Lie*. 

Proof.  We  already  established  that  Lie  Lie°  (Prop.  1)  and  Lie°  =<!  Lie*  (Prop.  1);  we  give  two 
counterexamples  to  establish  the  strict  inclusion.  (I)  Lie  ^  Lie°.  Whenever  the  variety  has  a 
singularity,  the  proof  rule  Lie  will  fail.  Lie°  is  tailored  to  prove  invariance  of  equilibrium  points  in 
addition  to  regular  points  of  the  variety.  For  instance,  for  p  =  ((—1  +  xf)x2,  x2(l  +  x2)).  Lie  fails 
to  prove  that  h  =  (—1  +  x\)2  +  (1  +  x2)2  =  0  is  invariant  as  the  gradient  V  h  vanishes  at  (1,  —1) 
and  h((  1,  —1))  =  0.  However,  at  (1,  —1)  we  also  have  pi  =  p2  =  0,  and  hence  the  premise  of 
Lie°  is  satisfied,  and  h  =  0  is  proved  to  be  an  invariant  under  the  flow  of  p.  (II)  Lie°  7^  Lie*. 
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Figure  4:  The  invariance  of  the  variety  Vg.(xi  -  x'f  -  x\)  (left)  provable  using  1 31  (but  not  Lie  since 
(0,  0)  is  a  singular  point)  and  a  smooth  invariant  limit  cycle  pRiCi  +  x\  —  1)  (right)  provable  using  Lie 
(but  not  DI=  since  it  is  not  an  invariant  function). 

In  addition  to  equilibria,  Lie*  goes  one  step  further  and  handles  all  singular  points,  x,  where  the 
vector  x  +  Xp  is  in  the  variety  Vj  {  h  )  for  all  A  G  M  (that  is  h(x  +  A p)  =  0,  for  all  A).  For  instance, 
consider  the  polynomial  h  =  x\x2x:i,  its  singular  locus  is  given  by  the  three  axes  x\  =  x2  —  0, 
X\  =  x3  =  0  and  x2  =  x3  =  0.  For  the  vector  field  p  =  (xi,x2,  x3),  the  equilibrium  point  is  at  the 
origin  (0,  0,  0),  which  obviously  does  not  contain  the  entire  singular  locus  of  h.  Thus,  Lie°  fails 
but  Lie*  succeeds  because  h(x  +  A p)  =  0  when  a?  is  a  point  of  one  of  the  axes.  □ 


Proposition  5.  P-c  -<  DRI  and  Lie*  -<  DRI. 


Proof.  DRI  is  both  necessary  and  sufficient  [11],  so  we  know  that  P-c  =<!  DRI  and  Lie*  =(  DRI. 
To  prove  the  claim  it  is  left  to  show  that  (I)  P-c  f  DRI.  Consider  the  following  two-dimensional 
vector  field:  p  =  ((—1  +  aq)(l  +  aq),  (—1  +  x2)(l  +  x2)).  The  candidate  invariant  (given  by  the 
roots  of  the  Motzkin  polynomial)  h  =  1  —  3x\x\  +  x\x\  +  x\x\  =  0  cannot  be  proved  using  P-c, 
as  £p(h)  f  ( h ).  However,  the  invariance  property  may  be  proved  using  DRI.  For  this,  we  need  to 
consider  the  second-order  Lie  derivative  of  h  and  we  prove  that  £p\h)  G  (h,  £.p{Ii)).  Thus,  the 
premise  of  DRI  holds  for  N  —  2.  (II)  Lie*  f  DRI.  Consider  the  following  three-dimensional 
vector  field  p  =  (—x2  +  aq(l  —  xf  —  x^),xi  +  x2(l  —  xf  —  x^),^).  We  want  to  prove  that 
h  =  (—1  +  x\  +  x\)2  +  x\  =  0  is  an  invariant.  In  this  case,  the  variety  14(/i)  is  exactly  equal  to 
the  singular  locus  of  h  which  is  the  two-dimensional  unit  circle  —  1  +  xf  +  x\  =  0.  However,  at 
all  points  of  this  unit  circle,  the  vector  field  p  is  equal  to  (— x2,  x±,  0)  f  0,  which  prevents  us  from 
using  Lie*  (because  h((xi,  x2 ,  0)  +  A(— x2,  x1,  0))  f  0  for  some  A  G  M).  The  rule  DRI  proves  the 
invariance  of  h  =  0  with  N  =  2.  □ 


To  appreciate  the  difference  between  DI=  and  Lie,  let  us  note  that  while  the  condition  in  the 
premise  of  DI=  may  seem  strong  (i.e.  too  conservative),  singularities  in  the  invariant  candidate  do 
not  present  a  problem  for  DI=,  whereas  the  premise  of  Lie  rules  out  such  candidates  altogether  (see 
Fig.  4).  Indeed,  the  proof  rule  Lie  cannot  prove  that  0  =  0  (the  whole  space  is  invariant),  whereas 
this  is  the  most  trivial  case  for  DI=. 
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Proposition  6  (DI=  and  Lie  are  incomparable.).  DI=  -<>-  Lie. 

Proof.  (I)  DI=  ^  Lie.  For  the  vector  field  p  =  (—2x2,  —  2x\  —  3xf),  the  equation  xf+xf  —x\  =  0 
is  provable  with  DI=  but  not  Lie,  see  Fig.  4  (left).  (II)  DI=  f  Lie.  For  the  vector  field  p  = 
(xi  —  xl  —  x2  —  xixl,  xi  +  x2  —  x\x2  —  x%),  the  invariance  of  the  limiting  cycle  x\  +  x\  —  1  =  0 
is  provable  with  Lie  but  not  DI=,  see  Fig.  4  (right).  □ 

We  now  prove  that  Lie-based  proof  rules  (Lie,  Lie°,  Lie*},  and  Darboux-based  proof  rules 
(DI=,  C-c,  P-c}  are  two  distinct  families  of  proof  rules;  that  is,  any  Lie-based  proof  is  deductively 
incomparable  to  any  Darboux-based  proof  rule.  The  following  lemma  follows  from  the  transitivity 
of  the  partial  order. 

Lemma  1.  If  R\  f  R2  and  R3  -<>-  R.\,  then  R2  7$  R3. 

Proof  Consider  three  proof  rules  Ri,  R2  and  If.  If  If  f  If,  using  R\  f  If,  one  gets  by 
transitivity  Rx  f.  f?3,  which  contradicts  the  assumption  If  -<  >-  R , .  □ 

Proposition  7.  DI=  -O-  Lie*. 

Proof  Since  Lie  =(  Lie°  (Prop.  1)  and  Lie°  =(  Lie*  (Prop.  1),  then  Lie  =(  Lie*.  By  Lem.  1,  from 
Lie  =(  Lie*  and  DI=  -o-  Lie  (Prop.  6),  we  get  Lie*  ^  DI=.  The  following  example  proves  that 
DI=  ^  Lie*:  Consider  the  three-dimensional  vector  field  p  =  (x2,  —  X\,  0).  The  invariance  of  the 
equation  x\  +  (—1  +  x\  +  x\  +  xl)2  =  0  cannot  be  established  using  Lie*  (the  singular  locus  is  a 
circle  in  M3),  but  is  easily  provable  using  DI=  as  £p(h )  vanishes.  □ 

Proposition  8.  DI=  -<>-  Lie°. 

Proof  By  Lem.  1,  from  Lie  =(  Lie°  (Prop.  1)  and  DI=  -<>-  Lie  (Prop.  6),  we  get  Lie°  ^  DI=.  On 
the  other  hand,  if  DI=  Lie°  then,  by  transitivity  DI=  Lie*  (since  Lie°  Lie*  by  Prop.  1), 
which  contradicts  DI=  -<>-  Lie*  (Prop.  7).  Thus,  DI=  ^  Lie°,  and  the  proposition  follows.  □ 

Similarly,  by  substituting  DI=  by  Lie,  Lie*  by  P-c,  and  Lie°  by  C-c  in  Prop.  7  and  Prop.  8  as 
well  as  their  respective  proofs,  we  show  that: 

Proposition  9.  Lie  -<>-  P-c  and  Lie  -<>-  C-c. 

Proof.  To  complete  the  proof,  we  still  need  an  example  showing  that  Lie  f  P-c.  Consider  the 
vector  field  p  =  (3(— 4  +  x2),  3  +  xy  —  y2),  the  proof  rule  Lie  fails  to  prove  that  the  equation 
h  =  —  3  +  x2  +  2 xy  +  6 y2  +  2 xy3  +  y4  =  0  is  invariant  as  the  singular  locus  of  h  contains  (—2, 1) 
and  (2,  —1).  However,  £p(h )  =  (6a;  —  4y)//  and  therefore  P-c  proves  that  h  =  0  is  an  invariant 
equation.  □ 

The  remaining  cases  follow  from  the  results  established  above. 

Proposition  10.  Ford  G  (C-c, P-c},  i  G  {Lie°,Lie*},  d  -<>-  i. 

Proof.  Since  DI=  -<  d,  if  d  f  I,  then  DI=  £.  However,  DI=  -<>-  t  (Prop.  7  and  Prop.  8).  Thus 
d,  ^  E.  Similarly,  since  l  >-  Lie,  if  d  f  I,  then  d  f  Lie  which  contradicts  d  -<>-  Lie  (Prop.  9). 
Hence  d  i  and  the  proposition  follows.  □ 
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Remark  2.  Provided  the  invariant  candidate  has  no  singular  points,  Lie ’s  criterion  is  known  to  be 
both  necessary  and  sufficient  to  prove  invariance  properties  of  level  sets  [21,  Theorem  2.8].  Also, 
DI=  characterizes  invariant  functions  [25]  but  not  cdl  invariant  equations.  On  the  other  hand, 
for  algebraic  differential  equations,  the  differential  radiccd  criterion  in  DRI  fully  characterizes  cdl 
invariant  algebraic  sets  [11].  Thus,  as  established  in  Prop.  5,  DRI  increases  the  deductive  power 
of  both  Darboux-based  rules  {DI=,  C-c,  P-c}  and  Lie-based  rules  {Lie,  Lie°,  Lie*},  which  form 
different  families. 

4.2  Complexity 

While  decidable  [31],  the  complexity  of  real  quantifier  elimination  is  doubly  exponential  in  the 
number  of  quantifier  alternations  [7].  Most  existing  implementations  of  real  quantifier  elimination 
procedures  are  based  on  cylindrical  algebraic  decomposition  (CAD)  [3,  4],  which  has  doubly  - 
exponential  running  time  in  the  number  of  variables. 

The  purely  existential  fragment  of  real  quantifier  elimination  has  been  shown  to  exhibit  singly 
exponential  time  complexity  in  the  number  of  variables  [1].  However,  in  practice  this  has  not  yet 
led  to  an  efficient  decision  procedure,  so  typically  it  is  much  more  efficient  to  use  CAD.  Theoreti¬ 
cally,  the  best  bound  on  the  complexity  of  deciding  a  sentence  in  the  universal  theory  of  M  is  given 
by  (sd)°(n\  where  s  is  the  number  of  polynomials  in  the  formula,  d  their  maximum  degree  and  n 
the  number  of  variables  [1]. 

The  premises  of  rules  DI=,  Lie,  Lie°,  Lie*  are  universally  quantified  sentences  in  the  theory  of 
real  arithmetic.  One  sees  from  the  expression  for  the  complexity  bound  that  it  is  important  for  these 
rules  to  keep  the  number  of  variables  low  and  also  that  it  is  desirable  to  work  with  polynomials  of 
low  degree.  In  this  respect,  we  would  anticipate  the  rule  Lie*  to  incur  a  performance  penalty  from 
introducing  a  fresh  variable. 

C-c  and  P-c  involve  reasoning  about  multivariate  polynomial  ideal  membership,  which  is  an 
EXP SP ACE-complete  problem  over  Q  [19].  Grobner  basis  algorithms  allow  us  to  perform  mem¬ 
bership  checks  in  ideals  generated  by  multivariate  polynomials.  Significant  advances  have  been 
made  in  algorithms  for  computing  Grobner  bases  [10]  which  in  practice  can  be  expected  to  per¬ 
form  very  well. 

The  premise  of  DRI  may  be  decided  using  a  real  quantifier  elimination  procedure,  like  any 
other  first-order  sentence  in  the  theory  of  real  arithmetic.  However,  in  order  to  obtain  the  bound  N 
on  the  order  of  the  Lie  derivatives,  one  is  also  required  to  check  for  polynomial  ideal  membership 
at  least  N  —  1  times. 


5  Square-free  Reduction 

In  this  section  we  assess  the  utility  of  performing  square-free  reduction  of  invariant  candidates  as  a 
means  of  (i)  increasing  the  deductive  power  of  Lie-based  proof  rules  and  (ii)  simplifying  problems 
passed  to  decision  procedures  for  real  arithmetic. 


10 


5.1  Square-free  Reduction  with  Lie-based  Proof  Rules 

While  Lie  uses  a  powerful  criterion  that  captures  a  large  class  of  practically  relevant  invariant 
sets,  it  will  fail  for  some  seemingly  simple  invariant  candidates.  For  instance,  the  condition  in  the 
premise  of  Lie  will  not  hold  when  the  goal  is  to  prove  that  h ,  =  x2  —  6x  +  9  =  0  is  invariant,  no 
matter  what  vector  field  one  considers.  The  reason  for  this  is  simple:  x2  —  6x  +  9  factorizes  into 
(x  —  3)2.  The  problem  here  lies  in  the  polynomial  h  itself,  rather  than  the  real  variety  Vr(/i).  In 
fact,  Vr (h)  is  exactly  the  singular  locus  of  h  and  the  proof  rule  Lie  fails  because  all  points  inside 
are  singular  points.  More  generally,  the  chain  rule  implies  V hk  ■  p  =  khk^lVh  ■  p.  which 
has  the  consequence  that  any  polynomial  h  which  is  not  square-free  will  have  vanishing  gradient 
at  the  real  roots  of  factors  with  multiplicity  greater  than  1. 

One  can  eliminate  such  annoying  instances  by  reducing  h  to  square-free  form,  which  is  a  basic 
pre-processing  step  used  in  computer  algebra  systems.  The  square-free  reduction  of  a  polynomial 
h  may  be  computed  efficiently  as  follows: 
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Intuitively,  in  performing  square-free  reduction  we  hope  to  shrink  the  singular  locus  of  the  original 
polynomial.  If  SL(SF(/i))  is  the  empty  set  (which  is  the  case  for  h  =  x2  —  6a;  +  9  in  the  example 
given  above),  the  proof  rule  Lie  applies  to  SF (h)  but  not  to  h.  In  general,  SF (h)  may  satisfy  the 
assumptions  of  the  proof  rules  Lie°  or  Lie*,  where  h  fails  to  do  so.  It  is  always  sound  to  conclude 
that  h  =  0  is  invariant  from  the  knowledge  that  SF (//)  =  0  is  invariant,  since  real  varieties  remain 
unaltered  under  square-free  reduction  of  their  defining  polynomials  [5],  i.e.  Vm(h)  =  Vr(SF(/i)), 
thus  replacing  h  with  SF (h)  in  the  premise  of  Lie,  Lie°  and  Lie*  remains  sound  and  enlarges  the 
class  of  polynomials  that  these  proof  rules  can  work  with. 

Proposition  11.  For  all  i  e  (Lie,  Lie°,  Lie*},  i  -<  SF  1. 


This  result  is  unsurprising  when  one  understands  that  Lie-based  proof  rules  use  geometric 
concepts  to  prove  invariance  properties  of  sets.  In  fact,  the  square-free  reduction  removes  some 
purely  algebraic  oddities  that  prevent  the  geometric  condition  from  holding  true  when  checked 
syntactically  by  a  machine. 

In  addition  to  increasing  the  deductive  power,  the  square-free  reduction  reduces  the  total  degree 
of  the  polynomial  in  the  invariant  candidate  and  hence  serves  to  reduce  the  complexity  of  deciding 
the  conditions  in  the  premise  (see  Section  4.2).  In  our  implementation,  we  adopt  the  convention 
that  invariant  candidates  supplied  to  Lie  and  its  generalizations  are  square-free  reduced  in  a  pre¬ 
processing  step. 


5.2  Square-free  Reduction  with  Darboux-based  proof  rules 

Unlike  Lie-based  proof  rules,  it  is  perhaps  surprising  that  using  square-free  reduction  as  a  pre¬ 
processing  step  for  the  proof  rules  DI=  and  C-c,  denoted  SFDI=  and  SFC-c  respectively,  does  not , 
in  general,  increase  the  deductive  power. 
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Proposition  12.  DI=  -«o>-  SFDI=. 

Proof.  (I)  DI=  f  SFDI=.  The  polynomial  h  =  x2y  is  an  invariant  function  for  the  vector  field 
p  =  (f^,  — H)  =  (x2,  —2 xy),  thus  DI=  proves  the  invariance  of  h  =  0.  However,  SF (h)  is  not  an 
invariant  function  for  the  same  vector  field,  since  £P(SF (h))  =  £p(xy)  =  —x2y  0,  thus  SFDI= 
fails  to  prove  the  invariance  of  h  =  0.  (II)  SFDI=  f,  DI=.  Similarly,  the  polynomial  h  =  xy  is  an 
invariant  function  for  the  vector  field  p  =  — 1|)  =  (x,  —y),  thus  SFDI=  proves  the  invariance 

of  x2y  =  0,  since  SF (x2y)  =  h.  However,  DI=  fails  to  prove  the  invariance  of  x2y  =  0,  because 
£P(x2y)  =  x2y  fO.  □ 

Prop.  12  may  at  first  seem  counter-intuitive.  However,  the  criterion  in  the  premise  of  DI=  is 
different  in  that  it  proves  that  the  candidate  h  is  an  invariant  function.  In  performing  square-free 
reduction  on  h,  one  in  general  obtains  a  different  function,  SF  (h),  which  need  not  be  conserved  in 
the  system  if  h  is  conserved  or,  conversely,  may  be  conserved  even  if  h  is  not. 

The  same  observation  holds  for  C-c  as  the  SF  reduction  does  not  preserve  the  constant  rate 
exponential  decrease  (or  increase). 

Proposition  13.  C-c  -<>-  SFC-c. 

Proof.  (I)  C-c  -f  SFC-c.  The  proof  rule  C-c  proves  the  invariance  of  h  =  x2y  =  0  for  the 
vector  field  p  =  (x2,y(  1  —  2x))  as  £p(/r)  =  1  h.  However,  C-c  cannot  prove  SF (h)  =  0,  since 
£p(SF(/i))  =  £p(xy)  =  (1  —  x)  SF (h).  (II)  SFC-c  -f  C-c.  For  the  same  h,  C-c  proves  the 
invariance  of  SF (h)  =  0  for  the  vector  field  p  =  (x2,y(  1  —  x))  as  £P(SF (h))  =  £p(xy)  = 
1  SF (h).  However,  without  the  SF  reduction  C-c  alone  fails  to  prove  the  invariance  of  h  —  0  for 
the  considered  p ,  as  £p(h)  —  (x  +  1  )h.  □ 

After  Prop.  12  and  13,  one  expects  P-c  to  be  incomparable  with  its  square-free  counterpart. 
Surprisingly,  the  proof  rules  P-c  and  SFP-c  (which  applies  P-c  after  the  square-free  reduction)  are 
in  fact  equivalent.  This  follows  from  the  fact  that  a  polynomial  is  Darboux  for  a  vector  field  p  if 
and  only  if  all  its  factors  are  also  Darboux  for  the  same  vector  field.  Our  findings  are  stated  in 
Prop.  14  and  its  corollary  Prop.  15. 

Proposition  14.  Let  h  =  q\"'  ■  ■  ■  qfr  denote  the  decomposition  of  the  polynomial  h  into  irreducible 
(over  the  reals)  factors,  q,.  Then,  h  is  Darboux  for  p  if  and  only  if,  for  all  i,  q,  is  Darboux  for  p. 

Proof.  If,  for  all  i,  the  polynomial  qi  is  Darboux  for  p.  then  q,  divides  £p(V/t),  i.e.  xPlhl  e 
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M[a:i,  . . .  ,xn],  Therefore,  using  the  chain  rule, 
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(10) 

and  h  is  also  Darboux  for  p. 

If  h  is  Darboux  for  p ,  then  h  divides  £p{h)  and  is  a  polynomial.  Recall  that  SF (hi)  = 
qi  ■  •  ■  qr.  Using  Eq.  (9),  one  gets 

^4^SF(/i)  =  Vmt4^SF(/i)  .  (11) 

h  tr  * 

For  a  fixed  i,  qi  divides  SF(/i),  it  thus  divides  the  left  hand  side  of  Eq.  (11).  Moreover,  q \  divides 
ST^/'-i ,  for  all  j  f  i.  It  thus  necessarily  divides  £.p(qi).  If  qi  divides  SF^/') ,  then  there  exists 

such  that  q,  divides  qj ,  which  contradicts  the  fact  that  all  factors  qi, ...  ,qr  are  irreducible. 
Thus,  qt  divides  £p(qi)  and  £p(qt)  €  {qi).  □ 

Nota:  Prop.  14  generalizes  [9,  Proposition  8.4]  which  states  a  similar  result  for  2-dimensional 
systems  and  polynomials  over  C. 

Proposition  15.  P-c  ~  SFP-c. 

Proof.  The  proof  rule  P-c  proves  the  invariance  of  h  =  0  for  p  if  and  only  if  the  polynomial  h  is 
Darboux.  However,  by  Prop.  14,  h  is  Darboux  if  and  only  if  SF  (If  is  also  Darboux.  Therefore, 
SFP-c  could  be  used  equivalently  to  prove  the  invariance  of  h  —  0.  □ 

Remark  3.  The  condition  £p(p)  €  (SF(y/)) — which  is  weaker  than  £p(p)  G  (p) — is  not  sufficient 
to  prove  the  invariance  of  p  =  0.  It  is  therefore  an  unsound  proof  rule.  Consider  the  polynomial 
p  =  (—1  +  a;2)2  and  the  1-dimensional  vector  field  x  —  x.  Although  £p{p )  =  4(— 1  +  x2)x2  G 
(—1  +  x2)  =  (SF(p)),  the  equation  p  =  0  is  not  invariant,  however,  because  x(t)  =  ±e*.  Notice 
that  the  proof  rule  P-c  (with  or  without  the  square-free  reduction )  is  unable  to  prove  or  disprove 
the  invariance  ofp  =  0. 

5.3  Square-free  Reduction  On  Differential  Radical  Invariants  (DRI) 

Square-free  reduction  cannot  increase  the  deductive  power  of  the  proof  rule  DRI  because  its 
premise  is  necessary  and  sufficient  to  prove  invariance  of  real  algebraic  sets,  which  is  unaffected 
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by  applying  SF  reduction.  However,  the  computational  impact  of  using  square-free  reduction  with 
DRI  remains  an  interesting  question.  Empirically,  we  observed  a  better  performance  of  DRI  when 
the  SF  reduction  is  applied  first.  In  addition  to  lowering  the  degrees  of  the  involved  polynomials 
(as  it  did  for  Lie -based  proof  rules),  we  observed  that  the  order  A(sf  for  SF  (h)  is  always  lower  than 
the  order  N  for  h.  We,  therefore,  conjecture  A^f  <  N.  However,  in  Ex.  1  below,  the  square-free 
reduction  resulted  in  a  significant  (xlOO)  computational  overhead  due  to  the  ideal  membership 
checking  (which  we  perform  using  Grobner  bases  with  reverse  lexicographic  monomial  ordering). 

Example  1.  Consider  the  following  vector  field  p: 

x'i  =  —  24  (xi  +  X3)  (x®  —  3x2x|x§  +  xfx|  +  xfx|)  X4X5  (x2  +  X2  —  12341)  16  ( X4X§  —  12xqxs)  11 , 

X2  =  144  ( xi  +  £3)  (a;®  —  3xf x\x\  +  xf x|  +  xfxf)  ( x 2  +  X2  —  12341)  16xs  (x4X2  —  12x6X8 )  11 , 
x'3  =  —32  (xi  +  0:3)  (x®  —  3xfx|x§  +  x\x\  +  xfx|)  x-j  (x2  +  X2  —  12341)  15  (0:4X5  —  12x6Xs)  12 , 
x*4  =  144  (xi  +  X3)  (x®  —  3xf x|x§  +  x\ x|  +  xf  x|)  xq  (x2  +  X2  —  12341)  16  (X4X5  —  12x6Xg)  11 , 
x'5  =  (xi  +  X3)  (2x1X2  +  4xfx|  —  6xix|x|)  (X4X2  —  12xgxg)  12  (x2  +  X2  —  12341)  16 
+  (x®  —  3xfx2X§  +  X1X2  +  xfx|)  (X4X5  —  12X6Xg)  12  (x2  +  X2  —  12341)  16, 
x'e  =  (xi  +  X3)  ( 2x2xf  +  4x®xf  —  6x2x|xf)  (X4X5  —  12xgxg)  12  (x2  +  X2  —  12341)  16 

+  16  (xi  +  X3)  (x®  —  3xfx|x|  +  xfx|  +  xjx|)  (x4x|  —  12xgxg)  12  (xy  +  X2  —  12341)  ls, 

XT  =  (xi  +  X3)  (6X3  —  6xf X2X3)  (X4X5  —  12X6X8)  12  (x2  +  X2  —  12341)  16 
+  (x®  —  3xfx|x|  +  xfx|  +  xfx|)  (X4X5  —  12X6X8)  12  (x2  +  X2  —  12341)  16, 
x'g  =  12  (xi  +  X3)  (x®  —  3xfx|x|  +  xfx|  +  xfx|)  x2  (x2  +  X2  —  12341)  16  (X4X5  —  12x6Xs)  11 , 


and  let 

h  =  ( x\  +  x3 )  (x®  —  ?>x\x\xl  +  x\x2  +  x{xl)  ( Xj  +  x2  —  1234l)  16  [x^xl  —  12a;6a:8)  12 . 

Attempting  to  prove  that  h  =  0  is  invariant  under  the  flow  of  this  system  using  DRI  we  obserx’e 
running  time  of  under  2  seconds.  Reducing  h  to  be  square-free  results  in  DRI  running  for  over 
8  minutes  before  it  is  able  to  prove  the  result.  In  this  case,  square-free  reduction  introduces  a 
performance  penalty  when  checking  for  polynomial  ideal  membership  (which  is  performed  using 
Grobner  bases  with  reverse  lexicographic  monomial  ordering ).  We  see  that  one  needs  to  be  careful 
when  using  square-free  reduction  with  DRI  because  even  though  it  is  reasonable  to  expect  better 
performance  due  to  lower  degrees  in  square-free  reduced  polynomials,  performing  this  step  may 
make  the  Grobner  basis  computation  more  difficult  for  some  problems. 

In  our  implementation  of  DRI,  called  DRIop/  in  the  sequel,  we  use  the  square-free  reduction 
only  as  a  pre-processing  step  for  the  quantifier  elimination  problems  in  the  premise  of  DRI. 

Remark  4.  Notice  that  Prop.  14  does  not  have  an  analogue  for  DRI.  In  other  words,  if  a  polyno¬ 
mial  equation  h  =  0  is  invariant  for  p,  its  irreducible  factors  need  not  define  invariant  equations 
themselves.  Geometrically,  this  means  that  if  a  variety  is  invariant  under  the  flow  of  p,  its  irre¬ 
ducible  components  need  not  be  invariants  under  the  flow  of  p.  For  instance,  consider  the  irre¬ 
ducible  polynomials  q i  =  y  —  1  and  q2  =  x2  +  (y  —  l)2.  The  equation  q ,  <p_  =  0  which  is  equivalent 
to  y  =  1,  is  invariant  for  p  =  (1,  0),  since  the  premise  of  the  proof  rule  DRI  holds  true  for  N  =  3. 
However,  the  equation  q2  =  0,  which  is  equivalent  to  x  =  0  A  y  =  1,  is  not  an  invariant  equation 
forp. 
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Figure  5:  Experimental  performance  of  proof  rules:  problems  solved  per  time  (log  scale) 

6  Experimental  Comparison 

We  empirically  compare  the  running  time  performance  of  all  the  proof  rules  discussed  in  this 
paper  on  a  heterogeneous  collection  of  76  invariant  varieties  (see  Appendix.  A).  The  examples 
we  used  originate  from  a  number  of  sources — many  come  from  textbooks  on  Dynamical  Systems; 
some  from  the  literature  on  formal  verification  of  hybrid  systems;  others  have  been  hand-crafted  to 
exploit  sweetspots  of  certain  proof  rules.  In  this  section,  the  prefix  SF  is  implicit  for  all  Lie-based 
proof  rules.  We  consider  4  equally  sized  classes  of  invariant  sets:  (1)  24  smooth  invariants,  where 
Lie  is  both  necessary  and  sufficient,  (2)  17  isolated  equilibria  as  trivial  (for  humans,  not  machines) 
equational  invariants  for  which  both  Lie°  and  Lie*  provide  necessary  and  sufficient  conditions, 
(3)  17  other  singularities  and  high  integrals,  (4)  18  functional  invariants,  where  DI=  is  necessary 
and  sufficient.  The  most  interesting  experimental  question  we  seek  to  address  here  is  whether 
the  greater  generality  of  the  more  deductively  powerful  proof  rules  also  comes  at  a  substantially 
higher  computational  cost  when  assessed  across  the  entire  spectrum  of  examples.  As  a  complement 
to  the  theoretical  deductive  power  relationships  between  the  different  proof  rules  (Section  4),  we 
also  seek  to  identify  some  nuances  in  the  complexity  of  the  conditions  in  the  premises,  which  the 
coarse-grained  complexity  bounds  miss,  being  highly  sensitive  to  the  number  of  variables. 

From  our  experiments  it  emerges  that  the  proof  rules  exhibit  different  (and  at  times  surprising) 
trade-offs  between  generality  and  efficiency.  Figure  5  compares  the  number  of  invariant  varieties 
that  each  rule  could  prove  within  60  seconds.  The  vertical  axis  shows  cumulative  time  spent  on 
the  problems.  All  runs  were  performed  on  an  Intel  Core  i5  1.7GHz  machine  with  4Gb  RAM. 
Generally,  we  observe  DRI  performing  very  well  across  the  entire  spectrum  of  problem  classes. 
This  is  very  encouraging,  but  also  at  first  sight  appears  to  defy  intuition  since  it  implies  that  one 
does  not  necessarily  sacrifice  performance  when  opting  to  use  a  more  deductively  powerful  rule. 
In  this  graph,  we  also  see  that  overall  Lie°  appears  to  offer  an  interesting  compromise  between 
deductive  power  and  efficiency — it  is  able  to  prove  a  significant  body  of  problems  that  are  out  of 
scope  for  Lie,  while  avoiding  the  complexity  penalty  which  affects  Lie*  (due  to  introducing  an 
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Figure  6:  Number  of  problems  solved  per  class  (log  scale). 

extra  variable). 

A  more  careful  analysis  of  the  benchmarks  reveals  interesting  relationships  that  are  obscured  in 
the  “big  picture”;  to  see  them,  one  needs  to  consider  the  individual  classes  of  invariants  for  which 
some  of  the  sufficient  conditions  in  the  rules  are  in  fact  necessary  and  sufficient.  Together  with 
DRI,  this  yields  two  decision  procedures  for  each  class  and  allows  us  to  focus  only  on  running 
time  performance  and  assess  practicality  of  proof  rules.  In  Fig.  6,  we  observe  the  rules  Lie°  and 
Lie*  performing  very  well  in  proving  invariance  of  isolated  equilibria.  This  is  to  be  expected  as 
Lie°  in  particular  was  formulated  with  this  problem  class  in  mind.  It  is  interesting  that  DRI  remains 
highly  competitive  here;  though  its  performance  is  slightly  poorer  in  our  set  of  benchmarks. 

It  is  clear  that  because  proof  rules  Lie°  and  Lie*  generalize  Lie,  they  will  be  able  to  prove  every 
problem  in  the  smooth  invariant  benchmarks.  The  running  time  performance  of  the  three  rules 
is  almost  identical,  with  Lie  offering  a  slight  speed-up  over  its  generalizations.  The  premises  of 
Lie°  and  Lie*  impose  conditions  on  states  in  the  singular  locus,  which  is  the  empty  set  for  smooth 
invariants;  this,  in  practice,  appears  to  be  slightly  more  expensive  than  checking  an  equivalent 
property  that  the  gradient  is  non- vanishing  on  the  variety  (as  in  the  premise  of  Lie). 

The  proof  rules  DI=  and  P-c,  corresponding  to  conditions  with  historical  origins  in  the  study 
of  integrability  of  dynamical  systems,  can  be  seen  to  perform  very  well  in  proving  functional 
invariants,  while  performing  very  poorly  in  benchmarks  for  isolated  equilibria.  In  proofs  of  smooth 
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invariants  their  behaviour  is  radically  different,  with  DI=  proving  only  a  handful  of  examples  and 
P-c  succeeding  in  proving  most  of  the  problems  very  efficiently.  This  can  be  explained  by  the  fact 
that  P-c  generalizes  DI=  and  is  therefore  more  deductively  powerful.  P-c  appears  slightly  slower 
at  proving  functional  invariants,  but  shows  very  impressive  running  time  performance  for  some 
problems  from  the  smooth  invariant  benchmarks,  where  it  is  the  fastest  proof  rule  for  many  of 
problems  where  it  succeeds.  Comparing  running  time  performance  with  DRI,  we  see  that  DRI  is 
only  slightly  slower  at  proving  functional  invariants  than  DI=  and  P-c.  Again,  the  performance  gap 
between  DRI  and  the  two  rules  appears  to  be  insignificant  for  most  problems.  Theoretically,  when 
P-c  proves  an  invariant,  DRI  applies  conditions  that  are  identical  to  the  premise  of  P-c.  Hence, 
although  DRI  is  a  generalization,  this  does  not  come  at  a  significant  extra  cost  for  the  classes  where 
P-c  shows  good  running  time  performance.  The  slightly  greater  running  time  of  DRI  compared  to 
that  of  P-c  can  be  accounted  for  by  the  fact  that  in  our  implementation  DRI  computes  the  Grobner 
basis  for  every  order  N  including  for  N  =  1  where  such  computation  is  unnecessary. 

For  functional  invariants  DI=  benefits  from  the  fact  that  the  condition  in  its  premise,  which 
requires  to  show  that  the  Lie  derivative  evaluates  to  zero  everywhere,  is  equivalent  to  showing 
that  the  Lie  derivative  is  the  zero  polynomial,  which  can  be  checked  very  efficiently  by  symbolic 
computation,  without  a  decision  procedure  for  real  arithmetic. 

In  the  examples  featuring  singularities  and  high  integrals  in  the  benchmarks  we  see  DRI  as  the 
clear  winner,  simply  because  there  was  no  other  rule  that  was  tailored  to  work  on  this  class.  Indeed, 
the  structure  of  these  invariant  sets  can  be  rather  involved,  making  it  difficult  to  characterize  in  a 
single  proof  rule;  however,  sometimes  it  is  possible  to  exploit  the  structure  of  high  integrals  inside 
a  proof  system  and  arrive  at  very  efficient  proofs  that  outperform  DRI  [12]. 

It  is  not  surprising  that  DRI  should  overtake  all  the  other  rules  in  terms  of  deductive  power 
(it  is,  after  all,  necessary  and  sufficient);  what  is  remarkable  is  that  the  performance  we  observe 
for  DRI  is  often  very  competitive  to  that  of  the  sufficient  rules  when  they  also  succeed  at  a  proof. 
This  observation  suggests  a  possible  strategy  for  proof  search  in  a  proof  system:  give  precedence 
to  DRI  and  switch  to  other  sufficient  rules  if  DRI  takes  longer  than  some  time-out  value.  The 
rationale  behind  this  decision  is  our  empirical  observation  that  DRI  performs  consistently  well  on 
all  problem  classes  we  considered,  but  it  is  also  sometimes  possible  to  save  time  by  using  a  proof 
rule  which  is  less  deductively  powerful.  It  is  important  to  note  here  that  the  overall  proof  system 
benefits  from  including  the  sufficient  proof  rules,  rather  than  relying  solely  upon  DRI. 


7  Related  Work 

Taly  &  Tiwari  in  [30]  investigate  an  approach  to  proving  invariance  properties  of  non-strict 
polynomial  inequalities  and  closed  semi-algebraic  sets  which  inspired  our  formulation  of  the  proof 
rules  Lie°  and  Lie*  for  real  algebraic  varieties;  we  employ  the  same  ideas  for  reasoning  about 
the  singular  locus  separately  and  appealing  to  the  Nagumo  theorem  for  the  proof  of  soundness. 
At  least  some  of  the  difficulties  encountered  with  inequalities  in  [30]  can  be  eliminated  for  real 
algebraic  sets  by  working  only  with  square-free  reduced  polynomials;  a  reduction  we  perform  as 
a  pre-processing  step.  Indeed,  in  [30]  the  authors  provide  a  simple  example  in  which  an  invariant 
polynomial  equality  is  encoded  as  a  polynomial  inequality  of  the  form  h2  <  0  (over  the  reals  this 
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is  equivalent  to  h 2  =  0)  which  falls  out  of  scope  of  their  proof  rules.  Square-free  reduction  may 
be  extended  to  polynomial  inequalities  using  order  parity  decomposition  [8]  and  makes  progress 
possible  on  similar  problems. 

The  deductive  power  of  the  proof  rule  DI  (which  generalizes  DI=  to  semi-algebraic  sets)  com¬ 
bined  with  other  proof  rules  (such  as  differential  cut  or  differential  weakening)  have  been  inves¬ 
tigated  in  [26].  In  this  work,  we  focus  on  sound  proof  rules  for  checking  invariance  properties  of 
algebraic  sets  and  investigate  their  deductive  power  as  well  as  their  practical  efficiency.  To  our 
knowledge,  this  is  the  first  attempt  to  structure  and  empirically  compare  the  performance  of  the 
proof  rules  we  considered. 


8  Conclusions  and  Future  Work 

We  have  theoretically  and  empirically  compared  proof  rules  for  checking  invariance  properties 
of  real  algebraic  sets  in  polynomial  vector  fields.  Our  work  investigated  an  important  aspect  of 
deductive  safety  verification  of  continuous  and  hybrid  dynamical  systems.  Namely,  given  the 
abundance  of  existing  sufficient  conditions  for  invariant  equations  (DI=,  C-c  and  P-c,  Lie),  in 
addition  to  the  extensions  of  Lie’s  criterion,  Lie°  and  Lie*,  and  the  recently  developed  necessary 
and  sufficient  conditions  for  real  algebraic  invariants  (DRI  [11]),  it  is  crucial  to  know  whether  the 
gains  in  deductive  power  come  at  the  price  of  greater  computational  complexity  and  poor  running 
time  performance  that  would  hinder  practical  applications.  The  work  presented  in  this  paper  leads 
us  to  arrive  at  the  following  conclusions: 

•  Empirically,  we  observe  that  the  most  deductively  powerful  rule  (DRI)  performs  very  well 
in  checking  invariance  of  polynomial  equalities. 

•  P-c  is  made  redundant  by  DRI  (DRI  strictly  increases  the  deductive  power  of  P-c  while 
being  equally  efficient). 

•  Reducing  polynomials  to  square-free  form  is  always  of  benefit  to  the  proof  rule  Lie  and  its 
generalizations,  where  it  yields  improvements  in  both  the  deductive  power  and  the  running 
time  performance. 

•  We  proved  that  combining  SF  with  the  proof  rules  DI=  and  C-c  yields  new  incomparable 
proof  rules,  whereas  SF  with  P-c  is  as  powerful  as  P-c  alone. 

•  Performing  square-free  reduction  of  an  invariant  candidate  may  introduce  a  performance 
penalty  for  DRI  and  therefore  cannot  be  regarded  as  an  optimization. 

It  is  our  hope  to  extend  this  work  to  similarly  study  proof  methods  for  invariance  of  semi- 
algebraic  sets  in  polynomial  vector  fields.  This  problem  is  of  fundamental  importance  to  verifica¬ 
tion  of  continuous  and  hybrid  systems  [22,  24]  and  a  better  understanding  of  the  factors  affecting 
proof  rule  efficiency  has  the  potential  to  be  of  considerable  practical  utility.  There  are  currently 
three  available  methods  that  have  been  proposed  for  checking  invariance  of  semi-algebraic  sets:  the 
method  of  differential  invariants  due  to  Platzer  [27],  a  characterization  of  invariant  semi-algebraic 
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sets  due  to  Liu  et  al.  [17]  and  a  method  for  closed  semi-algebraic  sets  based  on  the  Nagumo  the¬ 
orem  proposed  by  Taly  &  Tiwari  [30].  The  latter  approach  can  unfortunately  be  shown  to  be 
unsound  (we  identify  the  problem  in  Appendix.  B);  however,  this  deficiency  can  be  fixed.  It  would 
be  very  interesting  to  extend  the  work  presented  in  this  paper  to  investigate  the  relationship  be¬ 
tween  deductive  power  and  running  time  performance  in  the  aforementioned  methods.  We  leave 
this  for  future  work. 
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A  Appendix.  Benchmark  tables 

This  section  presents  the  benchmarks  used  to  evaluate  the  performance  of  the  proof  rules.  The 
dimension  of  the  vector  field  is  given  under  Dim  in  the  tables  below.  Also  shown  are  the  polyno¬ 
mial  degree  of  the  invariant  candidate  d .  Inv  and  the  degree  of  the  vector  field  d .  VF  defined  as 
the  maximum  degree  of  all  the  polynomials  pt.  Times  are  shown  in  seconds.  True  means  that 
the  proof  rule  was  able  to  prove  the  invariance  of  the  candidate,  otherwise  it  prints  _L  (except  for 
DRI  which  prints  False  as  it  is  necessary  and  sufficient).  The  time  out  is  set  to  60s  per  rule  per 
problem. 

Smooth  Invariants  (Regular  Varieties) 


Prob. 

Dim 

d.  Inv 

d.  VF 

DI 

P-c 

SFLie 

SFLie° 

SFLie* 

DRI0pt 

1 

1 

5 

1 

0.001 

0.001 

0.002 

True 

0.002 

True 

0.004 

True 

0.005 

True 

(N=3) 

2 

1 

21 

1 

0.002 

0.003 

0.001 

True 

0.001 

True 

0.003 

True 

0.035 

True 

(N=ll 

) 

3 

2 

6 

1 

0.003 

0.002 

0.004 

True 

0.005 

True 

0.008 

True 

0.023 

True 

(N=5) 

4 

2 

22 

1 

0.006 

0.006 

0.004 

True 

0.005 

True 

0.007 

True 

0.419 

True 

(N=21 

) 

5 

4 

14 

1 

0.093 

0.074 

0.062 

True 

0.128 

True 

0.169 

True 

>60s 

6 

4 

32 

1 

0.725 

0.985 

0.062 

True 

0.137 

True 

0.190 

True 

>60s 

7 

2 

2 

1 

0.000> 

<  10"3 

0.000> 

True 

<  10~3 

0.000  > 

True 

<  10"3 

O.OOOx 

True 

10~3 

0.000  > 

True 

(  10"3 

0.002 

True 

( N=  1 ) 

8 

2 

2 

1 

0.000> 

True 

<  10"3 

0.000> 

True 

(  10"3 

0.002 

True 

0.002 

True 

0.002 

True 

0.000> 

True 

<  1(T3 

(N=  1 

9 

3 

1 

1 

0.000> 

True 

<  10“3 

0.000> 

True 

<  10~3 

0.000  > 

True 

<  10‘3 

O.OOOx 

True 

10‘3 

0.000  > 

True 

<  10~3 

o.ooo> 

True 

<  i<r3 

(N=  1 

10 

2 

1 

5 

0.002 

0.000> 

True 

<  10"3 

0.002 

True 

0.002 

True 

0.002 

True 

0.001 

True 

( N=  1 ) 

11 

2 

2 

3 

0.002 

0.002 

True 

0.004 

True 

0.006 

True 

0.008 

True 

0.002 

True 

( N=  1 ) 

12 

2 

6 

5 

0.000> 

True 

<  10-3 

0.000> 

True 

<  10"3 

0.006 

True 

0.006 

True 

0.023 

True 

0.002 

True 

( N=  1 ) 

13 

3 

2 

4 

0.026 

0.003 

True 

0.008 

True 

0.012 

True 

0.024 

True 

0.004 

True 

( N=  1 ) 

14 

4 

2 

4 

0.079 

0.006 

True 

0.013 

True 

0.019 

True 

0.036 

True 

0.009 

True 

( N=  1 ) 

15 

5 

2 

4 

0.669 

0.007 

True 

0.020 

True 

0.031 

True 

0.056 

True 

0.008 

True 

( N=  1 ) 

16 

3 

2 

3 

0.000> 

True 

<  10"3 

0.000> 

True 

<  10"3 

0.000  > 

True 

<  10‘3 

O.OOOx 

True 

10"3 

0.000  > 

True 

<  10~3 

0.001 

True 

( N=  1 ) 

17 

3 

2 

3 

0.002 

0.000> 

True 

(  10"3 

0.003 

True 

0.004 

True 

0.008 

True 

0.002 

True 

( N=  1 ) 

18 

2 

4 

2 

0.005 

0.002 

True 

0.005 

True 

0.006 

True 

0.016 

True 

0.003 

True 

( N=  1 ) 

19 

2 

2 

2 

0.000> 

<  10"3 

0.000> 

True 

<  10~3 

0.002 

True 

0.002 

True 

0.004 

True 

0.001 

True 

(N=l) 

20 

2 

1 

3 

0.000> 

<  10“3 

0.000> 

True 

<  10"3 

0.001 

True 

0.001 

True 

0.001 

True 

0.000) 

True 

<  1(T3 

(N=  1 

21 

2 

1 

2 

0.002 

0.000> 

True 

<  10~3 

0.002 

True 

0.002 

True 

0.002 

True 

0.001 

True 

( N=  1 ) 

22 

2 

1 

2 

0.001 

0.000> 

True 

(  10"3 

0.001 

True 

0.002 

True 

0.002 

True 

0.001 

True 

( N=  1 ) 

23 

2 

1 

2 

0.000> 

<  10"3 

0.000> 

True 

<  10~3 

0.001 

True 

0.001 

True 

0.001 

True 

0.000) 

True 

<  1<T3 

(N=  1 

24 

6 

2 

2 

0.000> 

True 

<  10-3 

0.000> 

True 

<  10"3 

0.002 

True 

0.005 

True 

0.007 

True 

0.002 

True 

( N=  1 ) 

22 


Isolated  Equilibria 


Prob. 

Dim 

d.  Inv 

d.VF 

DI 

P-c 

SFLie 

SFLie° 

SFLie* 

DRIopt 

1 

2 

18 

17 

0.009 

True 

0.005 

True 

0.019 

0.037 

True 

0.204 

True 

0.007 

True  (N=l) 

2 

1 

1 

1 

0 . 000  x  1CT3 

0.000> 

True 

c  10"3 

O.OOOx  10‘3 

True 

O.OOOx  1(T3 

True 

O.OOOx  1<T3 

True 

O.OOOx  10~3 

True 

(N=  1 

3 

1 

2 

3 

O.OOOx  1CT3 

0.000> 

True 

<  IQ"3 

O.OOOxKT3 

True 

O.OOOx  1CT3 

True 

0.001 

True 

O.OOOx  io-3 

True 

(N=  1 

4 

1 

2 

3 

O.OOOx  1CT3 

0.001 

0.002 

True 

0.002 

True 

0.006 

True 

0.003 

True  (N=2) 

5 

2 

2 

2 

0.004 

0.002 

True 

0.004 

0.005 

True 

0.006 

True 

0.002 

True  (N=l) 

6 

2 

46 

4 

34.470 

0.016 

>60s 

>60s 

>60s 

EH5B3SH 

0.451 

True  (N=3) 

7 

3 

2 

243 

>60s 

EHSlgjgH 

0.057 

0.023 

14.260 

True 

14.180 

True 

>60s 

8 

2 

128 

5 

0.429 

0.050 

0.004 

0.012 

True 

0.013 

True 

>60s 

9 

3 

2 

2 

0.009 

0.002 

0.018 

0.016 

True 

0.026 

True 

0.062 

True  (N=4) 

10 

3 

25 

2 

>60s 

BfflM 

0.007 

>60s 

EfrlufcMlU 

>60s 

>60s 

iEBH 

>60s 

beesh 

11 

3 

2 

90 

>60s 

0.068 

0.032 

1.153 

True 

1.082 

True 

3.233 

True  (N=3) 

12 

4 

2 

4 

0.717 

0.003 

0.014 

3.084 

True 

2.940 

True 

>60s 

13 

4 

2 

2 

0.030 

0.005 

0.020 

0.019 

True 

0.035 

True 

0.021 

True  (N=2) 

14 

4 

2 

2 

0.002 

0.002 

0.019 

0.023 

True 

0.027 

True 

>60s 

15 

5 

2 

6 

0.204 

0.007 

0.016 

8.739 

True 

8.674 

True 

>60s 

16 

5 

12 

3 

0.757 

0.013 

>60s 

>60s 

>60s 

WnfcMm 

>60s 

rai»i=mu 

17 

5 

2 

35 

>60s 

1.754 

0.026 

>60s 

>60s 

>60s 

23 


Other  Singularities 


Prob. 

1 

2 

3 

4 

5 

6 
7 


9 

10 
11 
12 

13 

14 

15 

16 
17 


Dim  d.Inv  d.VF 
2  6  2 

2  4  3 

3  6  10 

3  4  3 

3  4  3 

3  4  1 

7  14  1 

2  4  2 

2  4  2 

3  4  3 

3  6  2 

5  6  2 

9  18  8 

5  4  4 

9  10  4 

3  4  3 

6  2  2 


DI 

P-c 

0.013 

0.005 

X 

X 

0.006 

0.004 

X 

True 

0.016 

0.006 

X 

X 

0.010 

0.007 

X 

X 

0.004 

0.003 

X 

X 

0.004 

0.002 

X 

X 

0.003 

0.002 

X 

True 

0.005 

0.003 

X 

True 

0.013 

0.003 

X 

True 

0.005 

0.004 

X 

X 

0.001 

0.001 

X 

X 

0.003 

0.002 

X 

X 

0.013 

0.023 

X 

X 

0.096 

0.020 

X 

X 

0.009 

0.010 

X 

X 

0.006 

0.003 

X 

X 

0.001 

O.OOOx  10 

True 

True 

SFLie 

SFLie° 

0.023 

0.029 

X 

True 

0.009 

0.014 

X 

True 

0.081 

0.081 

X 

True 

0.067 

0.072 

X 

X 

0.015 

0.017 

X 

X 

0.016 

0.017 

X 

X 

0.007 

0.007 

X 

X 

0.007 

0.011 

X 

True 

0.015 

0.030 

X 

X 

0.031 

0.033 

X 

X 

0.017 

0.030 

X 

X 

0.080 

0.168 

X 

X 

>60s 

>60s 

WHHfUfcd 

0.071 

0.228 

X 

X 

0.708 

0.511 

X 

X 

0.020 

0.027 

X 

X 

0.005 

0.014 

X 

True 

SFLie* 

DRIopt 

0.438 

True 

0.054 

True 

(N=3) 

0.022 

True 

0.003 

True 

(N=l) 

>60s 

WnPimu 

>60s 

0.468 

X 

0.049 

True 

(N  =  3) 

0.043 

X 

0.026 

True 

(N=3) 

0.025 

X 

0.092 

True 

(N=5); 

0.007 

True 

0.002 

True 

(N=l) 

0.037 

True 

0.004 

True 

(N=l) 

0.056 

True 

0.007 

True 

(N=l) 

0.055 

X 

0.034 

True 

(N  =  2) 

0.049 

X 

0.010 

True 

(N=2) 

>60s 

0.058 

True 

(N  =  2) 

>60s 

>60s 

>60s 

>60s 

>60s 

0.235 

True 

(N=2) 

0.050 

X 

0.100 

True 

(N=5) 

0.014 

True 

0.002 

True 

(N=l) 
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Conserved  Quantities  (Functional  Invariants) 


Prob. 

Dim 

d.  Inv 

d.  VF 

DI 

P-c 

SFLie 

SFLie° 

SFLie* 

DRIopt 

1 

2 

3 

2 

O.OOOx  10"3 

True 

O.OOOx 

True 

10“3 

0.004 

0.002 

True 

0.007 

True 

0.001 

True 

(N=l) 

2 

2 

6 

5 

O.OOOx  10-3 

True 

O.OOOx 

True 

10"3 

0.007 

0.007 

True 

2.350 

True 

0.002 

True 

(N=  1 ) 

3 

2 

6 

5 

0.002 

True 

0.001 

True 

0.008 

0.009 

True 

0.030 

True 

0.002 

True 

(N=l) 

4 

2 

4 

1 

O.OOOx  103 

True 

O.OOOx 

True 

10“3 

0.014 

0.014 

-L 

0.026 

0.003 

True 

(N=l) 

5 

4 

3 

2 

O.OOOx  lO3 

True 

O.OOOx 

True 

10"3 

0.009 

0.006 

True 

0.031 

True 

0.003 

True 

( N=  1 ) 

6 

3 

6 

10 

0.002 

True 

0.002 

True 

0.028 

-L 

0.021 

True 

>60s 

0.005 

True 

(N=  1 ) 

7 

4 

2 

1 

0.001 

True 

O.OOOx 

True 

10"3 

0.001 

True 

0.002 

True 

0.002 

True 

0.002 

True 

(N=l) 

8 

4 

12 

11 

O.OOOx  103 

True 

O.OOOx 

True 

10"3 

0.010 

0.006 

True 

0.025 

True 

0.003 

True 

( N=  1 ) 

9 

8 

12 

11 

0.005 

True 

0.003 

True 

0.007 

True 

0.011 

True 

0.011 

True 

0.007 

True 

( N=  1 ) 

10 

8 

9 

8 

0.003 

True 

0.003 

True 

>60s 

EiUnfcMlH 

0.069 

True 

>60s 

0.011 

True 

(N=l) 

11 

8 

75 

74 

O.OOOx  lO3 

True 

0.192 

True 

>60s 

>60s 

EiUBiHMin 

>60s 

FFFiiFMrU 

3.498 

True 

( N=  1 ) 

12 

8 

31 

30 

O.OOOx  lO  3 

True 

0.006 

True 

12.710 

>60s 

>60s 

0.091 

True 

(N=  1) 

13 

8 

29 

28 

O.OOOx  103 

True 

0.003 

True 

7.917 

8.896 

True 

>60s 

0.025 

True 

(N=l) 

14 

8 

18 

17 

0.032 

True 

0.029 

True 

1.463 

0.857 

True 

>60s 

0.045 

True 

(N=l) 

15 

8 

5 

4 

O.OOOx  103 

True 

O.OOOx 

True 

10"3 

>60s 

0.029 

True 

0.362 

True 

0.003 

True 

(N-l) 

16 

8 

16 

15 

O.OOOx  103 

True 

0.035 

True 

20.980 

True 

27.560 

True 

>60s 

MSB 

0.180 

True 

( N=  1 ) 

17 

3 

2 

1 

O.OOOx  103 

True 

O.OOOx 

True 

10"3 

0.001 

0.001 

True 

0.002 

True 

0.000 

True 

x  10-3 

18 

7 

6 

1 

O.OOOx  103 

True 

O.OOOx 

True 

10-3 

0.006 

0.006 

0.005 

True 

0.001 

True 

(N=  1) 
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B  Appendix.  Fixing  Unsoundness  in  [30] 

In  this  section  we  give  a  simple  example  that  highlights  a  soundness  issue  in  the  method  for  proving 
invariance  of  closed  semi-algebraic  sets  reported  in  [30].  We  will  require  an  additional  definition, 
which  we  give  below. 

Definition  7  (Contingent  cone).  Given  a  set  S  Cl  and  a  state  x  G  X,  the  contingent  cone  to  S 
at  x  is  defined  as  the  set  of  all  vectors  v  G  M"  that  are  sub-tangent  to  S  at  x.  Formally,  we  write 

KS(X)  =  {»eS"  lim  inf  dfet(S’ ”  +  ^  =  „}. 
v  '  1  1  t-> 0+  t  s 

The  contingent  cone  has  special  properties  that  can,  in  practice,  present  challenges.  In  partic¬ 
ular,  one  needs  to  be  very  careful  when  constructing  the  contingent  cone  for  a  conjunctive  set  in 
terms  of  the  contingent  cones  for  the  individual  conjuncts. 

Proposition  16.  Let  5j ,  S2  C  X,  then  in  general 

Ksfx)  n  Ks2(x )  £  KSlns2(x). 

Proof.  Consider  the  case  where  X  =  M2,  S1  =  [x  \  x2  +  x\  <  0}  and  S2  =  {x  \  x2  —  x\  >  0}. 
The  two  sets  intersect  at  0  G  X.  At  the  origin,  the  contingent  cones  for  the  conjuncts  are  given 
by  two  half-planes  K$x  (0)  =  {x  \  x2  <  0}  and  Ks.2  ( 0 )  =  {x  \  x2  >  0};  the  intersection  of 
the  contingent  cones  is  given  by  the  real  x2  line,  i.e.  KSl  D  Ks2  =  {x  j  x2  —  0 } ,  whereas  the 
contingent  cone  to  the  intersection  of  the  two  sets  is  given  by  the  zero  vector,  Kgins2  —  {0}.  □ 

This  property  is  the  cause  of  unsoundness  in  the  approach  to  proving  invariance  of  closed  semi- 
algebraic  sets  reported  in  [30,  p.  393,  lifting  to  formulas  with  boolean  connectives].  By  applying 
Nagumo’s  sub-tangency  criterion  to  each  conjunct  restricted  to  the  conjunction  one  is  showing 
p(x)  G  Kg,  (x)  H  Kg2  (x)  for  all  x  G  .Sj  fl  S2.  With  this,  one  concludes  that  the  origin  is  positively 
invariant  under  the  vector  field  p(x),  corresponding  to  the  system  x\  —  1,  x2  —  0  in  the  example 
from  the  above  proof,  which  is  patently  not  the  case.  One  can  remove  this  source  of  unsoundness 
by  taking  into  account  closure  properties  of  the  contingent  cone;  in  particular,  one  needs  to  impose 
extra  conditions  that  will  guarantee  the  inclusion 


KSl{x)  n  Ks2(x)  C  KSlnS2(x). 

Various  methods  exist  for  ensuring  this  property  (see  e.g.  [34])  and  it  is  thus  possible  to  remove 
the  source  of  unsoundness  in  [30].  In  [2],  the  authors  defined  practical  sets  in  a  way  that  encodes 
one  possible  sufficient  condition  for  ensuring  the  inclusion  above. 
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Xi 


Xl 


(a)  X2  +  xf  <  0  A  X2  —  xf  >  0 


(b)  xi  =  1,  X2  —  0 


Figure  7:  Example  of  unsoundness  in  [30].  Intersection  of  contingent  cones  to  the  conjuncts  at  0 
is  shown  in  red. 
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